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1 DETAILED ACTION 

2 

3 This action is in response to tine communication filed on 9/23/10. 

4 All objections and rejections not set forth below have been withdrawn. 

5 Claims 1 , 4-1 2, 1 6-21 , and 24-28 are pending. 
6 

7 Continued Examination Under 37 CFR 1. 1 14 

8 

9 A request for continued examination under 37 CFR 1.114 was filed in this 



10 application after a decision by the Board of Patent Appeals and Interferences, but 

1 1 before the filing of a Notice of Appeal to the Court of Appeals for the Federal Circuit or 

12 the commencement of a civil action. Since this application is eligible for continued 

13 examination under 37 CFR 1 .1 14 and the fee set forth in 37 CFR 1 .17(e) has been 

14 timely paid, the appeal has been withdrawn pursuant to 37 CFR 1.114 and prosecution 

15 in this application has been reopened pursuant to 37 CFR 1.114. Applicant's 

16 submission filed on 9/23/10 has been entered. 
17 



1 8 Claim Rejections - 35 USC § 101 

19 

20 35 U.S.C. 101 reads as follows: 

21 Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 

22 matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 

23 conditions and requirements of this title. 
24 
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1 Claims 1, 4-12, 16-21, and 24-28 rejected under 35 U.S.C. 101 because the 

2 claimed invention is directed to non-statutory subject matter. 

3 

4 Regarding claims 1 and 4 - 1 1 , the applicant recites a method failing to be tied to 

5 a particular machine or cause the transformation of matter into another state or thing 

6 and thus fails to recite a method falling within the scope of statutory subject matter. It is 

7 noted that the recitation of "a computing device" appears to comprise the disclosed 

8 entities such as web services .servers, browsers, and clients that are seen to be 

9 software entities in and of themselves are they are not necessarily stated or claimed to 

10 be embodied in hardware structure (e.g. see fig. 1 :102). The examiner respectfully 

1 1 suggests that the applicant explicitly recite hardware structure within the claim. 

12 Furthermore, the recitation of "embodied on computer storage media" does not appear 

13 to preclude the use of signals which can be used to embody (i.e. "store") software 

14 instructions (e.g. see par. 72). The examiner respectfully suggests that the applicant 

1 5 recite "embodied on non-transitory computer storage media". 

16 Regarding claims 12, 16 - 21 , and 24 - 28, the applicant recites a system 

17 comprising software embodied upon signals and media bearing instructions. The 

1 8 recitation of "embodied on computer storage media" (e.g. claim 1,12) does not appear 

19 to preclude the use of signals which can be used to embody (i.e. "store") software 

20 instructions (e.g. see par. 72). As software embodied upon signals fails to comprise 

21 statutory subject matter, these claims are rejected as non-statutory. The examiner 
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1 respectfully suggests that the applicant recite "embodied on non-transitory computer 

2 storage media". 
3 

4 Claim Rejections - 35 USC § 102 

5 

6 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 

7 form the basis for the rejections under this section made in this Office action: 

8 A person shall be entitled to a patent unless - 

9 (b) the invention was patented or described in a printed publication in this or a foreign country or In public 

1 0 use or on sale in this country, more than one year prior to the date of application for patent in the United 

1 1 States. 
12 

13 Claims 1, 4-12, 16-21, and 24-28 are rejected under 35 U.S.C. 102(b) as 

14 being anticipated by Scott et al. (Scott), "Abstracting Application-Level Web 

15 Security". 

16 

17 Regarding claim 1 , Scott discloses: 

18 receiving data input tlirough a web page from a client device (fig. 1 , page 2, col. 

19 1 , par. 3-6); referencing a declarative module to determine a client input security screen 

20 to apply to tlie data input from tine client device (page 3, col. 2, par. 2); 

21 wlierein the declarative module comprises: 

22 a global section that includes at least one client input security screen that applies 

23 to any type of client input value (fig. 2; page 6, col. 1 , par. 1 , 2, par. 2, lines 9-1 3). Scott 

24 discloses input security screens (i.e. a transformation screen) that are applied to all user 

25 input (parameters values); 
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1 an individual values section that includes at least one client input security screen 

2 that applies to a particular type of client input value (fig. 2; page 4, col. 1 ). Herein, Scott 

3 discloses screens for screening particular types of client input values (i.e. cookies, uris, 

4 other parameters). Thus Scott discloses an individual values section. 

5 and applying multiple client input security screens to the data input from the client 



6 device (page 3, col. 2, par. 2; fig. 2), including at least one client input security screen 

7 from the global section of the declarative module and at least one client input security 

8 screen from the individual values section of the declarative module, wherein the client 

9 input security screens are distinct from one another (page 3, col. 2, par. 1 , 2; fig. 2). 
1 0 Herein, Scott discloses separate screens. 



1 1 and wherein said act of referencing comprises first using the global section to 

1 2 screen one or more client input values and then using the individual values section to 

1 3 screen at least one of said one or more client input values (sect. 3.4, par. 3). 
14 

15 Regarding claim 4, Scott discloses: 

1 6 wherein the particular type of client input value is one of the following types of 

1 7 client input values: query string; server variable; form value; cookie (Scott, fig. 2). 
18 

19 Regarding claim 5, Scott discloses: 

20 wherein the declarative module further comprises a web.config file (Scott, page 

21 1 , col. 2, par.3; page 3, col. 2, par. 1 ). 
22 
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1 Regarding claim 6, Scott discloses: 

2 wherein the applying the client input security screen further comprises executing 

3 a default action on invalid client input detected by the client input security screen (Scott, 

4 page 3, col. 2, par. 1 , lines 8-1 3, par. 2, lines 5-1 1 ; page 4, col. 2, par. 3,4). Scott 

5 discloses the application of several types of input screening to all input data (default 

6 screening) wherein actions are performed on the all the input data during the process of 

7 data input security screening. Additionally, Scott discloses default transformations that 

8 can be applied during the screening of invalid input data. 
9 

1 0 Regarding claim 7, Scott discloses: 

1 1 wherein the applying the client input security screen further comprises executing 

1 2 a specified action on invalid client input detected by the client input security screen, the 

1 3 specified action being specified in the client input security screen (Scott, page 4, col. 1 , 

14 par. 4-6). 
15 

16 Regarding claim 8, Scott discloses: 

1 7 wherein a client input security screen further comprises one or more values that 

1 8 may be entered as client input, the one or more values further comprising the only 

1 9 values that may be entered as client input (Scott, page 4, col. 1 , par. 4-6). Scott 

20 discloses a security screen that constrains client input to a set of values, such as any 

21 integer: 0 - int [length 4]. Thus, the security screen effectively comprises the values of 

22 0 - int [length 4] to be imposed upon the client input as a restriction. Additionally, Scott 
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1 discloses tliat tlie security screen comprises specific URL values (extracted from HTTP 

2 requests) that may be entered as client input (Scott, page 6, col. 2, par. 1 ). 
3 

4 Regarding claim 9, Scott discloses: 

5 wherein a client input security screen furtlier comprises one or more screened 

6 values tliat, when detected in the client input, cause an action to be taken on the client 

7 input (Scott, fig. 4; page 3, col. 2, par. 2; page 4, col. 2, par. 3). 
8 

9 Regarding claim 10, Scott discloses: 

1 0 wherein the action to be taken further comprises removing the one or more 



1 1 screened values detected in the client input (Scott, fig. 4; page 3, col. 2, par. 2; page 4, 

12 col. 2, par. 3, 4). Scott discloses the encoding of screened values (removal and 

13 replacement). Additionally, Scott discloses the removal of values from client input 

14 based upon the client input security screen (Scott, page 7, col. 2, par. 1.1-1 .2) 
15 

1 6 Regarding claim 1 1 , Scott discloses: 

1 7 wherein the action to be taken further comprises removing an entire string that 

1 8 contains the one or more screened values detected in the client input (Scott, page 6, 

19 col. 2, par. 3; fig. 5; page 9, col. 1, par. 2.2). 
20 
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1 Regarding claim 12, it is the system claim corresponding to the method claim 1 , 

2 and is rejected for, at least, the same reasons, and furthermore because Scott 

3 discloses: 

4 a web page server unit configured to provide one or more web pages to one or 

5 more client devices over a distributed network (Scott, fig. 1 ). 
6 

7 Regarding claim 16, Scott discloses: 

8 wtierein a screening rule further comprises a client input variable that may be 

9 accepted as input from a client (Scott, fig. 5). Scott discloses various screening rules 
1 0 that accept client input variables. 

11 

12 Regarding claim 17, Scott discloses: 

1 3 wherein a screening rule further comprises one or more screened characters 

1 4 that, when detected in client input, are screened from the client input according to a 

1 5 screening rule (Scott, fig. 5 - see transformation). 
16 

17 Regarding claim 18, Scott discloses: 

1 8 wherein the screening rule further comprises a default screening action that is 

1 9 applied in the absence of a specified screening action (Scott, fig. 5 - see 

20 transformation). Scott discloses a single screening action that is to be performed, and 

21 thus, a default screening action. 
22 



Application/Control Number: 10/606,089 Page 9 



Art Unit: 2137 

1 Regarding claim 19, Scott discloses: 

2 wherein the screening rule further comprises a specified screening action that is 

3 applied to the screened client input (Scott, fig. 5 - see transformation). Scott discloses 

4 a single specific screening action that is to be performed. 
5 

6 Regarding claim 20, it Is rejected, at least, for the same reasons as claim 5. 
7 

8 Regarding claim 21 , it is rejected, at least, for the same reasons as claim 1 , and 

9 furthermore because Scott discloses: 

1 0 serving a web page to a client over a distributed network; receiving client input 



1 1 via the web page (Scott, fig. 1 , page 2, col. 1 , par. 3-6); comparing the client input with 

1 2 multiple and distinct client input security screens stored in a security declarative module; 

1 3 wherein the security declarative module includes a global section configured to screen 

1 4 all types of client input values and an individual values section configured to screen 

1 5 particular types of client input values (see rejection of claim 1 ); // invalid client input is 

1 6 detected, performing a screening action on the invalid client input as indicated by the 

17 security declarative module (Scott, page 3, col. 2, par. 2; page 4, col. 2, par. 3; page 6, 

18 col. 1 , par. 1 , 2; fig. 5); and wherein the client input security screens included in the 

1 9 security declarative module can be applied to multiple web pages (Scott, page 4, col. 1 , 

20 par. 2). 

21 Furthermore, Scott discloses a computer system, and thus discloses media and 

22 instructions (Scott, fig. 1). 
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1 

2 Regarding claims 24 and 25, they are the media and instruction claims 

3 corresponding to the method and system claims of 5 - 7, 18, and 19, and they are 

4 rejected for, at least, the same reasons. 

5 

6 Regarding claim 26, Scott discloses: 

7 wherein the screening action further comprises a default action that is not 

8 required to be specified in a client input security screen (Scott, page 6, col. 1 , par. 1,2). 
9 

1 0 Regarding claims 27 and 28, Scott discloses: 

1 1 wherein the multiple web pages are included in a web project and wherein the 



1 2 multiple web pages are included in a web-based application (Scott, Abstract; 

13 Introduction; fig. 1; section 3.1; page 4, col. 1, par. 2; page 6, col. 1, par. 2, col. 2, par. 

14 1 ). Scott discloses a security policy to be applied to a large web-application, the policy 

15 comprising rules for the web pages of a site. The web pages are associated with a web 

16 application, thus, they are included in a web project/application. 
17 

1 8 Response to Arguments 

19 

20 Furthermore, Applicant's arguments filed 9/23/1 0 have been fully considered but 

21 they are not persuasive. 
22 
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1 Applicants argue or assert essentially that: 

2 The Board states that "[t]o the extent recited in the claims, the web services, 

3 servers, browsers, and clients appear to be software entities in and of themselves and 

4 they are not necessarily stated or claimed to be embodied in hardware structure" 

5 (Decision on Appeal, pg. 5). Applicant respectfully points out that claim 1 recites "a 

6 client device" which is described in the Specification, among other places on pg. 1 2, 

7 lines 21-22: "[c]omputer environment 400 includes a general-purpose computing device 

8 in the form of a computer 402. Computer 402 can be, for example, a client 1 10 or server 

9 1 02". Accordingly, a client device is indeed a statutory hardware device. 

10 (Remarks, pg. 10) 

1 1 Examiner respectfully responds: 

12 It is respectfully noted that the examiner agrees with the findings of the Board. 

13 Particularly, the applicant's recitation of "a computing device" appears to comprise the 

14 disclosed entities such, as a server, that are seen to be software entities in and of 

15 themselves are they are not necessarily stated or claimed to be embodied in hardware 

16 structure (e.g. see fig. 1 :102). Furthermore, the applicant's arguments fail to comprise 

17 evidence or rationale showing that the claims comprise any particular recitation of 

18 hardware. The examiner respectfully suggests that the applicant explicitly recite 

1 9 hardware structure within the claim. 
20 

21 Applicants argue or assert essentially that: 
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1 Applicant's specification describes "computer storage media" on pg. 1 7, lines 8- 

2 1 6 which is reproduced below for the convenience of the Office. 

3 "Computer storage media" includes volatile and non-volatile, removable and non- 

4 removable media implemented in any method or technology for storage of 

5 information such as computer readable instructions, data structures, program 

6 modules, or other data. Computer storage media includes, but is not limited to, 

7 RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, 

8 digital versatile disks (DVD) or other optical storage, magnetic cassettes, 

9 magnetic tape, magnetic disk storage or other magnetic storage devices, or any 

10 other medium which can be used to store the desired information and which can 

1 1 be accessed by a computer. 

12 Computer storage media, as supported by the Specification, is indeed statutory 

1 3 in nature. Accordingly, for all of these reasons. Applicant respectfully requests that the § 

14 101 rejection be withdrawn. 

15 (Remarks, pg. 11) 
16 

1 7 Examiner respectfully responds: 

18 It is respectfully noted that the examiner agrees with the findings of the Board. 

19 Particularly, it is noted that the recitation of "embodied on computer storage media" (e.g. 

20 claim 1,12) does not appear to preclude the use of signals which can be used to 

21 embody (i.e. "store") software instructions (e.g. see par. 72). Furthermore, it is noted 

22 that the applicant's remarks comprise only a non-limiting example of "computer storage 
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1 media" and is not seen as a definition precluding tlie use of signals for embodying (e.g. 

2 "storing") software. As software embodied upon signals fails to comprise statutory 

3 subject matter, these claims are rejected as non-statutory. The examiner respectfully 

4 suggests that the applicant recite "embodied on non-transitory computer storage 

5 media". 
6 



7 Conclusion 

8 

9 The prior art made of record and not relied upon is considered pertinent to 

10 applicant's disclosure: 

1 1 See Notice of References Cited. 

12 

1 3 A shortened statutory period for reply is set to expire 3 months (not less than 90 

14 days) from the mailing date of this communication. 

15 Any inquiry concerning this communication or earlier communications from the 

1 6 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

17 7965. The examiner can normally be reached on 8:30-5:00. 

18 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

19 supervisor, Emmanuel Moise can be reached on (571 ) 272-3865. The fax phone 

20 number for the organization where this application or proceeding is assigned is (703) 

21 872-9306. 
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1 Information regarding the status of an application may be obtained from the 

2 Patent Application Information Retrieval (PAIR) system. Status information for 

3 published applications may be obtained from either Private PAIR or Public PAIR. 

4 Status information for unpublished applications is available through Private PAIR only. 

5 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

6 you have questions on access to the Private PAIR system, contact the Electronic 

7 Business Center (EBC) at 866-21 7-91 97 (toll-free). 
8 

9 

10 /Jeffery Williams/ 

11 Examiner, Art Unit 2437 
12 

13 /Emmanuel L. Moise/ 

14 Supervisory Patent Examiner, Art Unit 2437 
15 



